IT Infrastructuur Architectuur Blog

Sjaak Laan's visie op infrastructuur architectuur

Human factors in security

Lately some discussions arose on the Internet about the human factors in the security Common Body of Knowledgs (CBK) of the (ISC)².

Some of the arguments can be found here, here and here. The point is that learning the CBK (see here for a link to the CBK book ) students who want to certify for CISSP are not trained in the human factors of security.

Some say that apart from the 10 main topics in the CBK an extra topic on human factros should be added. Others state that human factors are part of almost all of the CBK topics. My opinion is that human factors are not very well addressed in the CBK. Instead of adding a extra topic to the CBK I would suggest to include human factors more explicitly in the BCK topics already available. Not only should human factors be included, but also some generic patterns should be addresses that can be used to handle the human shortcomings regarding security.

Some of these are:

Humans tend to be sloppy. They write passwords down or they lose USB sticks

Humans tend to take shortcuts to do their work more efficiently, sometimes circumvencing security policies